Prior to the legislature closing on May 8, Colorado lawmakers passed SB 41, which amends the Colorado Privacy Act (CPA) to add protections for children’s data privacy. If signed into law by Colorado Governor Jared Polis, it will go into effect on October 1, 2025. The bill creates new obligations for entities that offer any online service, product, or feature to minors (under 18). The bill is modeled on Connecticut’s SB 3 signed into law last June.

In the below article, we provide an overview of the obligations under SB 41 and the key differences between SB 41 and Connecticut’s SB 3.

Applicability

The bill’s requirements apply to more entities than the CPA currently covers because it does not have the same revenue and processing threshold requirements. The children’s privacy specific provisions under the CPA apply to any entity that offers an online service, product, or feature to whom the entity actually knows or willfully disregards are minors (under 18).

Controller Obligations

Duty of Care

Any controller that offers any online service, product, or feature to a consumer that the controller actually knows or willfully disregards is a minor has an overall duty to use reasonable care to avoid any heightened risk of harm to minors caused by the online service, product, or feature. Under the law “heightened risk of harm” means processing the personal data of minors in a way that presents a reasonably foreseeable risk of:

• Unfair or deceptive treatment of, or unlawful disparate impact on minors
• Financial, physical, or reputational injury to minors
• Unauthorized disclosure of the personal data of minors as a result of a security breach
• Physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors, if the intrusion would be offensive to a reasonable person

Prohibited Activities

A controller must obtain the minor’s consent, or if the minor is a child (under 13), the consent of the minor’s parent or legal guardian, to process a minor’s personal data for the following:

1. Specific Processing. For the purpose of (i) targeted advertising; (ii) sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
2. Processing Purposes. Any processing purpose other than the disclosed processing purpose at the time of collection, or that is reasonably necessary for and compatible with the disclosed processing purpose.
3. Reasonably Necessary. For processing longer than is reasonably necessary to provide the online service, product, or feature.
4. Geolocation Data. The collection of precise geolocation data, unless: (i) precise geolocation data is reasonably necessary for the controller to provide the online service, product, or feature; (ii) the controller only collects and retains the precise geolocation data for the time necessary to provide the online service, product, or feature; and (iii) the controller provides to the minor a signal indicating that the controller is collecting precise geolocation data and the signal is available to the minor for the entire duration of the collection.
5. Extended Use. The use of any system design feature to significantly increase, sustain, or extend a minor’s use of the online service product, or feature.

In addition, a controller that offers any online service, product, or feature to minors may not offer any type of direct messaging apparatus for use by a minor without providing accessible and easy-to-use safeguards to limit the ability of an adult who is not connected to the minor, to send unsolicited communications to the minor. This limitation does not apply to an online service, product, or feature with the predominant or exclusive function of electronic mail or direct messaging where the messages are visible only to the sender and the recipient, and not posted publicly.

Data Protection Assessments.

As we have seen with other state privacy laws, under SB 41 controllers must prepare a data protection assessment for any online service, product, or feature that presents a heightened risk of harm to minors. The assessment must address:

1. Categories of personal data processed
2. Processing purposes
3. Any heightened risk of harm reasonably foreseeable

If the controller conducts a data protection assessment to comply with another applicable law, the assessment will satisfy the requirement under SB 41 if the assessment is similar in scope. The Attorney General has the right to request a controller’s data protection assessment to evaluate for compliance. The data protection assessment requirement will only apply to processing activities created or generated after October 1, 2025, and is not retroactive.

Colorado vs. Connecticut

Geolocation Data

SB 41 contains an interesting exemption under the precise geolocation data requirement. The bill provides that the requirement to provide a signal indicating that the controller is collecting a minor’s precise geolocation data will not apply to any service or application that is used by and under the direction of a ski area operator. This is a Colorado specific exemption, that clearly considers a large state industry.

Rebuttable Presumption and Enforceability

Overall, in any enforcement action brought by the Attorney General or District Attorney, there is a rebuttable presumption that a controller used reasonable care if the controller complied with its obligations as listed above.

Until December 31, 2026, companies will have 60 days to cure any violation following notice from the Attorney General or District Attorney. After December 31, 2026, the right to cure will expire.

[View source.]